Subject: Making "stealth" scans harder.
To: Darren Reed <darrenr@reed.wattle.id.au>
From: Darren Reed <darrenr@reed.wattle.id.au>
List: tech-security
Date: 09/17/1998 22:45:49
The below patch helps to reduce the leakage of internal socket information
when a TCP "stealth" scan is directed at a *BSD box by ensuring the window
is 0 for all RST packets generated through tcp_respond(). Patch is against
NetBSD-1.3G but should apply to others with some fuzz.
Cheers,
Darren
*** tcp_subr.c.orig Sun Aug 2 21:16:42 1998
--- tcp_subr.c Thu Sep 17 22:38:51 1998
***************
*** 214,220 ****
struct route *ro = 0;
if (tp) {
! win = sbspace(&tp->t_inpcb->inp_socket->so_rcv);
ro = &tp->t_inpcb->inp_route;
}
if (m == 0) {
--- 214,221 ----
struct route *ro = 0;
if (tp) {
! if (!(flags & TH_RST))
! win = sbspace(&tp->t_inpcb->inp_socket->so_rcv);
ro = &tp->t_inpcb->inp_route;
}
if (m == 0) {
***************
*** 247,253 ****
ti->ti_ack = htonl(ack);
ti->ti_x2 = 0;
if ((flags & TH_SYN) == 0) {
! if (tp)
ti->ti_win = htons((u_int16_t) (win >> tp->rcv_scale));
else
ti->ti_win = htons((u_int16_t)win);
--- 248,254 ----
ti->ti_ack = htonl(ack);
ti->ti_x2 = 0;
if ((flags & TH_SYN) == 0) {
! if (tp && !(flags & TH_RST))
ti->ti_win = htons((u_int16_t) (win >> tp->rcv_scale));
else
ti->ti_win = 0;